Company Tests How Employees Handle Social Engineering Attacks

Posing as hackers, researchers identify vulnerabilities at Croatian telecom giant

10 October 2016

One of a company’s biggest security vulnerabilities is its own employees, and hackers know it. Attackers often use social engineering—the practice of manipulating people so they give up confidential information—through phone conversations, email, and social media.

Social engineering attacks include phishing email messages, which appear to be from a reputable source such as a coworker or a customer but are sent by a hacker to gain details about an account, such as passwords and personal information.

To find out how easy it would be to induce its employees to give up unauthorized customer information, researchers from Hrvatski Telecom, Croatia’s leading telecommunications company, devised a so-called penetration test. Hrvatski, based in Zagreb, has more than 1,000 employees with access to customer or employee data. The company has tried to train them in security measures through workshops and e-courses. And the workers have been made aware that a security breach could damage the company’s reputation and bottom line.

The penetration test was conducted for Hrvatski by an outside company specializing in information security. Employees were not informed of the mock hack attack beforehand.

Hrvatski asked the security company to attempt to access or change data by manipulating employees to give away confidential information. Examples included pretending to be a customer and asking to reset the account password, ordering a new telecom service, and changing payment options. Only accounts of customers who had first given permission for tests were targeted.

In several instances, the faux hackers were able to trick employees to give up account information. Perhaps most surprisingly, the researchers found that most successful penetrations were due not to employees who didn’t care about security but to employees unfamiliar with the company’s security process. The findings were reported in the proceedings of the IEEE International Convention on Information and Communication Technology, Electronics, and Microelectronics in June. The proceedings can be downloaded from the IEEE Xplore Digital Library.

“Social engineers are con artists, and are very creative in what they do,” says Luka Pauk, a data and IT system security expert at Hrvatski Telekom. “They must have acting skills to be convincing, and be able to improvise if things don’t go as expected.” Pauk authored the paper with fellow researchers Ivan Sedinić and Zrinka Lovrić Švehla.

THE ART OF IMPERSONATION

To exploit people’s trust, social engineering often employs techniques like phishing (eliciting information via email and social media), vishing (asking questions during a telephone conversation), and impersonation (acting as a trustworthy person to gain access to an account or computer system).

A common type of attack employs malware, spread via an email message sent as an attachment or link to a website. The message might look like an invoice requesting immediate payment, or made to appear as if it were sent from a company’s CEO or high-ranking manager. Malware, when downloaded, can be used to gather sensitive information and gain access to computer systems.

Attackers generally target employees new to their company, who may lack training and experience, Pauk says. Or the attackers email “shot in the dark” messages to a company, hoping to find an employee who might not be so concerned or informed about security.

THE OUTCOME

The most serious breach was that the researchers gained access to the company’s database, which includes customers’ data.

The most successful attempts were not due to the researchers’ persuasion but to employees’ mistakes and unfamiliarity with the company’s security process. In some instances, it turned out, the company’s written instructions were unclear or too complicated; employees were overwhelmed by how to handle every situation, the researchers said.

The researchers recommended that security instructions to employees be simplified. They suggested that employees receive a written, unambiguous customer identification process, as well as a security checklist to apply to various scenarios.

The researchers also recommended that all employees be taught the basics of cybersecurity and social engineering, and that the company continue to conduct penetration tests.

All the recommendations have been implemented.

Other businesses ought to bolster their security by conducting similar experiments, Pauk says, adding that it’s important to educate the entire staff. “Every employee using a computer with Internet access should be trained,” he says.

Learn More